Recent research has revealed a significant security vulnerability affecting hundreds of thousands of Prometheus servers and exporters, leaving them susceptible to password exposure, denial-of-service (DoS) attacks, and repojacking threats. Prometheus is a widely-used open-source monitoring tool vital for application performance and cloud infrastructure oversight. However, its potential exposure risks are often overlooked.

Research Findings

Security experts from Aqua Nautilus have identified over 40,000 exposed Prometheus servers and more than 296,000 exposed exporters using Shodan, a search engine for Internet-connected devices.

Data Exposure

The data collected by Prometheus might appear innocuous—covering application metrics such as CPU, memory, and disk usage. However, upon deeper analysis, researchers discovered exposed plaintext passwords, tokens, and sensitive API addresses.

Case Evidence

One specific case involved an unauthenticated Prometheus instance belonging to Skoda Auto, which inadvertently revealed the company's subdomains and Docker registries.

DoS Risks

Open Prometheus endpoints, such as '/debug/pprof', provide profiling tools that, if left unsecured, could be exploited to crash cloud services like AWS EC2 or Kubernetes pods. During tests, researchers successfully disrupted virtual machines multiple times using easily executable scripts.

Repojacking Threats

Aqua Nautilus also highlighted vulnerabilities related to "repojacking." This occurs when a developer’s GitHub account changes or is deleted without a proper namespace retirement, allowing attackers to assume the username and inject malware into repos previously owned by the developer.

Prometheus Exporter Vulnerabilities

Some Prometheus exporters were linked to usernames which could be easily hijacked. If referenced projects don't update redirect links, they risk integrating malicious code.

Mitigation Measures

This issue was promptly reported to Prometheus and has been resolved. However, repo jacking remains a broader concern across open-source projects. Continuous monitoring and the use of automated scanning tools are recommended to protect against such threats.

The link has been copied!